| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAMj1kXGN=LFL0Cfp6DonAxTLMK7E4Pb0ocYRtQGBr52EHiRmrw@mail.gmail.com>
Date: Fri, 14 Nov 2025 16:47:18 +0100
From: Ard Biesheuvel <ardb@...nel.org>
To: Sumit Garg <sumit.garg@...nel.org>
Cc: linux-arm-kernel@...ts.infradead.org, linux-efi@...r.kernel.org,
linux-arm-msm@...r.kernel.org, catalin.marinas@....com, will@...nel.org,
mark.rutland@....com, andersson@...nel.org, konradybcio@...nel.org,
dmitry.baryshkov@....qualcomm.com, shivendra.pratap@....qualcomm.com,
leif.lindholm@....qualcomm.com, linux-kernel@...r.kernel.org,
Sumit Garg <sumit.garg@....qualcomm.com>
Subject: Re: [PATCH 2/2] arm64: efi: Pass reboot cmd parameter to efi_reboot()
On Fri, 14 Nov 2025 at 13:16, Sumit Garg <sumit.garg@...nel.org> wrote:
>
> On Fri, Nov 14, 2025 at 10:35:33AM +0100, Ard Biesheuvel wrote:
> > On Fri, 14 Nov 2025 at 10:33, Ard Biesheuvel <ardb@...nel.org> wrote:
> > >
> > > On Fri, 14 Nov 2025 at 10:31, Sumit Garg <sumit.garg@...nel.org> wrote:
> > > >
> > > > On Fri, Nov 14, 2025 at 10:26:03AM +0100, Ard Biesheuvel wrote:
> > > > > On Fri, 14 Nov 2025 at 09:51, Sumit Garg <sumit.garg@...nel.org> wrote:
> > > > > >
> > > > > > From: Sumit Garg <sumit.garg@....qualcomm.com>
> > > > > >
> > > > > > EFI ResetSystem runtime service allows for platform specific reset type
> > > > > > allowing the OS to pass reset data for the UEFI implementation to take
> > > > > > corresponding action. So lets pass the reboot cmd parameter for the EFI
> > > > > > driver to determine whether it's a platform specific reset requested or
> > > > > > not.
> > > > > >
> > > > > > Signed-off-by: Sumit Garg <sumit.garg@....qualcomm.com>
> > > > > > ---
> > > > > > arch/arm64/kernel/process.c | 2 +-
> > > > > > 1 file changed, 1 insertion(+), 1 deletion(-)
> > > > > >
> > > > > > diff --git a/arch/arm64/kernel/process.c b/arch/arm64/kernel/process.c
> > > > > > index fba7ca102a8c..51784986c568 100644
> > > > > > --- a/arch/arm64/kernel/process.c
> > > > > > +++ b/arch/arm64/kernel/process.c
> > > > > > @@ -136,7 +136,7 @@ void machine_restart(char *cmd)
> > > > > > * ResetSystem().
> > > > > > */
> > > > > > if (efi_enabled(EFI_RUNTIME_SERVICES))
> > > > > > - efi_reboot(reboot_mode, NULL);
> > > > > > + efi_reboot(reboot_mode, cmd);
> > > > > >
> > > > >
> > > > > I agree with the general principle. However, there are already
> > > > > existing callers of kernel_restart() that would end up passing a
> > > > > random string to efi_reboot(), resulting in platform specific reset
> > > > > with undefined result.
> > > >
> > > > Yeah true but the UEFI spec says:
> > > >
> > > > "If the platform does not recognize the EFI_GUID in ResetData the platform
> > > > must pick a supported reset type to perform. The platform may optionally
> > > > log the parameters from any non-normal reset that occurs."
> > > >
> > > > So, in these cases the UEFI implementation can fallback to normal reset
> > > > optionally logging the reset data being passed. Does that sounds
> > > > reasonable to you?
> > > >
> > >
> > > What the UEFI spec says might deviate from how real platforms in the
> > > field will behave when being passed a reset type that nobody ever
> > > tried passing before.
>
> I suppose from OS point of view, we need to follow the UEFI
> specification. However, there will be scope for quirks later if the real
> world problems occur. Currently, in case of EFI reboot we are just
> ignoring the reboot cmd parameter.
>
> If you have in mind any sanity checks we should do here then feel free
> to propose and I can try to implement them.
>
> >
> > Also, the GUID is expected to follow an unbounded NULL terminated
> > UTF-16 string in memory, so we could easily cause a crash by doing
> > this if \0\0 doesn't appear in the memory following the string.
>
> Okay I see, would following change on top of this patchset address this
> concern?
>
> --- a/drivers/firmware/efi/reboot.c
> +++ b/drivers/firmware/efi/reboot.c
> @@ -5,6 +5,7 @@
> */
> #include <linux/efi.h>
> #include <linux/reboot.h>
> +#include <linux/ucs2_string.h>
>
> static struct sys_off_handler *efi_sys_off_handler;
>
> @@ -14,11 +15,18 @@ void efi_reboot(enum reboot_mode reboot_mode, const char *data)
> {
> const char *str[] = { "cold", "warm", "shutdown", "platform" };
> int efi_mode, cap_reset_mode;
> + unsigned long reset_data_sz = 0;
> + efi_char16_t *reset_data = NULL;
>
> if (!efi_rt_services_supported(EFI_RT_SUPPORTED_RESET_SYSTEM))
> return;
>
> if (data) {
> + reset_data_sz = ucs2_strlen(data) * sizeof(efi_char16_t);
You can't just run ucs2_strlen() on an arbitrary buffer.
> + reset_data = kzalloc(reset_data_sz + 2, GFP_KERNEL);
> + memcpy(reset_data, data, reset_data_sz);
> + reset_data_sz += 2;
> +
What happened to the GUID? It comes after the UTF-16 string, no?
> efi_mode = EFI_RESET_PLATFORM_SPECIFIC;
> } else {
> switch (reboot_mode) {
> @@ -47,8 +55,7 @@ void efi_reboot(enum reboot_mode reboot_mode, const char *data)
> efi_mode = cap_reset_mode;
> }
>
> - efi.reset_system(efi_mode, EFI_SUCCESS, sizeof(data),
> - (efi_char16_t *)data);
> + efi.reset_system(efi_mode, EFI_SUCCESS, reset_data_sz, reset_data);
> }
>
I think the main issue here is tying machine_restart(), which takes a
u8[] argument, to efi_reboot(), which takes a (u16[]) + L"\0" + GUID
buffer. So the change to efi_reboot() looks fine to me, we just cannot
call it directly from machine_restart() as you are suggesting.
Powered by blists - more mailing lists